When, 10 years ago, a massive cyber attack hit Hansabank, the bank he had worked for as a cyber specialist, Toomas Vaks felt that his entire country had been shaken to the core. It hadn’t been long since the former Soviet republic had rebuilt itself from scratch into one of the world’s most wired societies.
“What if the conflict escalates and our country were to be occupied again?” Vaks, now head of cyber security at the Estonian Information System Authority, a government agency set up after the 2007 attack to help the country keep abreast of cyber patterns, remembers thinking.
The series of hacks, unofficially linked to Russia, wreaked havoc in Estonian banks and government websites, but was quickly tamed, highlighting both Estonia’s vulnerability and its formidable cyber know-how. The cyber domain had become a “theater of war” for nation states, and Vaks decided to work toward shoring up his country’s defenses.
Now, against the backdrop of an increasingly global cyber-security landscape, Estonia is about to take a breakthrough step in this direction by opening a “data embassy” on foreign soil, in Luxembourg, so that Estonia can continue operating outside its borders should a war break out or other natural disaster occur.
For lack of a paper trail
The “embassy,” in Betzdorf, Luxembourg, will safeguard what Estonian society depends on – its online data and infrastructure. It is there, in a high-security, “Tier-4” data center where Estonia’s most critical, confidential data will be stored.
Under a bilateral agreement between the Estonian and Luxembourg governments expected to be signed within weeks, the Estonian data will receive the type of protection and immunity given “regular” embassies under the Vienna Convention, the 1961 international treaty that defines diplomatic relations between independent countries. That means that officials from the host country, in this case Luxembourg, will be barred from accessing the data.
“We wanted to be sure that the control is in our hands,” says Mikk Lellsaar, head of the state cloud department at the Estonian Ministry of Economic Affairs and Communications.
Estonia’s pilot project, the world’s first, is seen as one piece in the complex puzzle of how to make countries safer in a vulnerable cyber world.
The Baltic country began storing some of its non-critical digital infrastructure, including information on its road system, in privately owned public clouds like Amazon Web Services and Microsoft Azure years ago. But the data embassy goes further, giving added protection to data considered essential for Estonian society to operate. Those include the country’s laws, which in Estonia have no paper trail, and patient health records.
The data embassy has become all the more important now that anybody in the world can become an e-resident of Estonia with a national ID card that allows them to register an Estonian company online and set up Estonian bank accounts online.
“If something happens here with our business registry, we want to make sure that the data of businesses owned by e-residents – about their businesses, their stock ownerships, the land property they own in Estonia – can be accessed from abroad and is not lost,” says Lellsaar.
One step toward a ‘borderless’ society
Estonia is breaking new legal ground. Gilles Feith, the head of the Luxembourg government’s IT activities, sees the data embassy as a breakthrough, if “logical next step” to take for one of the world’s most connected societies.
It “puts us closer to the goal of a digital Europe” where the same rights and regulations applied to the physical world could apply to cyberspace. “In a digital world, we have to put overboard old concepts of nations’ borders,” Feith says.
Luxembourg is one of a number of governments where Estonia has expressed interest in establishing a data embassy. The equally small, digitally minded country that’s profiled itself as a world hub for secure data centers responded the fastest and most enthusiastically, Estonian officials say.
Recent political events and worldwide cyber attacks have encouraged Estonia to take a closer look at keeping the country working outside of its border.
Since Russia annexed Crimea in 2014, Estonia, along with its Baltic neighbors Latvia and Lithuania, has seen nearby Russian military drills that are occasionally followed by cyber activities. And it’s seen cyber meddling with political campaigns of major Western democracies, including the United States, France and Germany, part of an effort on behalf of Russia to destabilize the countries and erode people’s trust in their systems, says Piret Pernik, a researcher at the International Centre for Defence and Security in Tallinn.
“In Estonia we vote over the internet, we pay taxes over the internet – there’s almost nothing now we don’t do digitally,” says Toomas Vaks. “We have a very aggressive neighbor and we need to be sure that whatever happens to our territory in the future, Estonia can survive.”
Cyber security issues are expected to gain greater attention starting June 30, when Estonia takes over the rotating presidency of the EU Council, an occasion that “will make Estonia a more attractive target for foreign intelligence services and cyber criminals – and for cyber activists who want to forward a political message,” Vaks wrote in this year’s “cyber security assessment” of the country, which he released last month.
John Bumgarner, chief technology officer for the US Cyber Consequences Unit, a Washington-based non-profit group that studies the impact of cyber threats, says the Estonian data embassy is another sign of Estonia taking the lead in cyber defense matters. “This small country’s successes could be a model for the whole of NATO,” he says.
But the data embassy fails to answer the bigger question, he adds. “While we certainly need to do a better job of assisting each other, there needs to be a better understanding of how NATO responds to a cyber attack on one of its member states. Do they drop bombs? Do they establish digital blockades? Do they deploy cyber peacekeepers?
There are so many pieces of the puzzle not yet answered, but it’s time to ask these pertinent questions.”
Trust is key
Estonia is careful about safeguarding public information that holds high symbolic value. “If somebody starts defacing the presidential website, our own citizens will start to panic and say ‘what’s wrong,'” says Lellsaar, the Estonian government’s head of cloud. “That could cause lots of harm.”
And indeed, trust is the basis of Estonia’s “e-way of life,” says Liis Rebane, Estonia’s head of cyber security policy.
Nowhere else do people’s data move as freely through the hands of government, and yet nowhere is people’s trust in their government as strong. “We see progress, we see technology as a way of enabling societal progress,” says Priit Alamae, chief executive of Nortal, the software company that built much of the technology that fueled Estonia’s e-society digital services.
The data embassy is about ensuring Estonia’s digital continuity, says Liis Rebane. “It’s only one piece of the puzzle” to keep Estonians’ trust in their digital society strong.